Lucene search

K
cvelistGitHub_MCVELIST:CVE-2023-23933
HistoryFeb 03, 2023 - 7:14 p.m.

CVE-2023-23933 Issue in Anomaly Detection with document and field level rules in numerical feature aggregations

2023-02-0319:14:35
CWE-125
GitHub_M
www.cve.org
1
cve-2023-23933
opensearch
anomaly detection
numerical feature aggregations
automatic notifications
application
user role
restricted fields
authentication
patch
versions 1.3.8
2.6.0

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

21.0%

OpenSearch Anomaly Detection identifies atypical data and receives automatic notifications. There is an issue with the application of document and field level restrictions in the Anomaly Detection plugin, where users with the Anomaly Detector role can read aggregated numerical data (e.g. averages, sums) of fields that are otherwise restricted to them. This issue only affects authenticated users who were previously granted read access to the indexes containing the restricted fields. This issue has been patched in versions 1.3.8 and 2.6.0. There are no known workarounds for this issue.

CNA Affected

[
  {
    "vendor": "opensearch-project",
    "product": "anomaly-detection",
    "versions": [
      {
        "version": ">= 1.0.0, < 1.3.8 ",
        "status": "affected"
      },
      {
        "version": ">= 2.0.0, < 2.6.0",
        "status": "affected"
      }
    ]
  }
]

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

21.0%

Related for CVELIST:CVE-2023-23933